9.3 - CriticalCVE-2025-32013: Server-Side Request Forgery (SSRF) in LNbits LNURL Authentication

Introduction

In April 2025, a critical security vulnerability (CVE-2025-32013) was discovered in LNbits, a Lightning Network wallet and API system. The flaw allowed Server-Side Request Forgery (SSRF) through insufficient validation of callback URLs used in the LNURL authentication flow.

Technical Details

LNbits processes callback URLs provided by the user and sends HTTP requests using the httpx library, without any domain or IP filtering.

This behavior is implemented as in the following code block:

import httpx

def handle_lnurl_callback(callback_url):
    response = httpx.get(callback_url, follow_redirects=True)
    return response.json()

The above code requests every URL from the user without any filtering and follows all redirects, which makes the following exploit scenario possible:

https://target.lnbits.app/api/lnurl/callback?url=http://127.0.0.1:8000/internal/api

Affected Versions

The vulnerability affects the following LNbits versions:

• 0.10.3.dev1
• 0.12.6 through 0.12.12
• 0.12.12rc1

Permanent Fix

An update to the latest LNbits version is required:

pip install --upgrade lnbits

Mitigations

• "follow_redirects=False" must be configured in the "httpx.get()" function.
• IP address and domain based filtering should be applied for callback URLs.
• LNURL authentication can be temporarily disabled if necessary.

Final

CVE-2025-32013 creates a vulnerability to SSRF attacks due to lack of validation. It is vital that developers implement strict filtering of user input before processing it on the server side without validation, and control all potential network redirects.

Thank you for reading! For more on cybersecurity, software, and beyond — don't forget to follow me!

"If you think you know-it-all all about cybersecurity, this discipline was probably ill-explained to you."
~ Stephane Nappo.